Organisations are storing large volumes of information that is subject to both UK and European data protection laws meaning they must pay close attention to how and where that data is stored and processed in the event of its migration to an external cloud service platform.

A business located in the UK for example is subject to the Data Protection Act 1998, which includes an obligation that the customer retains close control over its personal data, even when it is being processed by a third party on its behalf, and retains legal responsibility for that data’s integrity.

Whilst EU law does not prohibit the transfer of personal data outside the European Economic Area (EEA), which includes all the countries in the European Union as well as Iceland, Liechtenstein and Norway, it does insist that there are adequate data protection safeguards in place before that processing takes place, unless the destination country has been pre-approved as having adequate data protection by the European Commission, including measures to ensure it is properly isolated and deleted when appropriate.

Any external cloud service provider trusted to handle company information must therefore be able to demonstrate adherence to any relevant data protection rules and provide visibility into security, storage and data retention processes, potentially allowing information security monitoring and audits and linking external hosted systems to on-premises platforms within broader hybrid cloud service delivery via secure network links such as virtual private networks (VPNs).

Companies should work closely with the provider to establish the exact details of service policies, processes and controls which determine how their personal data will be kept secure and establish safeguards to ensure information is stored in line with applicable laws.